An industry built on serving adware has become a full-fledged malware distribution channel, with a thriving underground economy, according to researchers at SecureWorks.

The business model is known as pay-per-install (PPI), and profits by recruiting “affiliates” willing to facilitate malware installation on victims' computers.

According to a new report from the SecureWorks Counter Threat Unit titled "The Underground Economy of the Pay-Per-Install Business," the method begins when an affiliate interested in building a network of infected computers signs up to a PPI site and receives files from the PPI provider.

In the past, such sites typically served as the breeding ground for adware distribution, but now criminals are recruiting opportunists so they can receive more-pernicious malicious code. 

“People interested in getting into the business go to PPI sites, sign up and download executable files,” Kevin Stevens, a SecureWorks researcher, told SCMagazineUS.com Wednesday. “To make money, they install it on as many computers they can, using a variety of techniques, most of which are outlined on the PPI sites.”

The PPI sits contain methods and tools to help affiliates distribute the malicious files. Some of the options include distributing the malware through drive-by-download or peer-to-peer sites, or by using blackhat SEO methods, Stevens said.

The affiliates earn money for every 1,000 installations they execute, though the compensation can vary widely.

“One challenge affiliates encounter is that they must perform hundreds to thousands of installs to receive any significant income,” the report states.

The malware files being distributed typically make use of subterfuge to remain undetected, such as encrypted signatures to hide from anti-virus engines. Another technique is for malware programs to shut themselves down if they are running in a virtual machine.

“A virtual machine such as VMWare or VirtualBox has certain code that runs in the background – to virtualize hardware and processes,” Stevens said. “It doesn't have the same code running as it would if it were running on real hardware. The malware picks up on the processes [by trying to retrieve certain code] and if it finds one, kills itself.”